Annual Internal Audit Plan for 2021-2022

​​​​​​​​​​Internal Auditing Standard - Planning

The Chief Audit Executive (CAE) is responsible for developing a risk‐​based engagement plan, considering the organization’s risk management framework. If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior management and the board. The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

Objectives

The primary objective of the risk assessment process is to build a comprehensive, data‐driven, and objective risk‐based engagement plan that follows a business focused approach, and allows flexibility. The engagement plan is designed to provide the College with the most comprehensive, timely audit coverage possible utilizing the resources available to the Internal Audit Department. As it is impractical to provide audit coverage to all College departments and functions on an annual basis, audit work is prioritized based on risk.

Our Vision

To be recognized as a collaborative, strategic, trusted advisor, and vital resource, providing information, analyses, and advice to help ensure operations are managed ethically, effectively, and efficiently.​​

Our Mission

Guided by a philosophy of adding value, the mission of the Internal Audit Department (IAD) is to enhance and protect organizational value by providing high‐quality, objective, risk‐based assurance and consulting services, advice, and insight, while embodying the commitment of improvement and betterment of the college, its students, and the community.

Definition of Internal Audit

Internal auditing is an independent, objective, assurance, and consulting activity designed to add value and improve the College’s operations. It helps the College accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes throughout the various divisions and departments College‐wide.

In addressing our mission, the Internal Audit Department (IAD) supports and assists College leadership and staff in the effective discharge of their responsibilities and achievement of strategic objectives by providing analyses, recommendations, advice, and information concerning:

  • The adequacy and effectiveness of the College ’s internal control structure;
  • The safeguarding of assets;
  • Compliance with applicable laws and regulations;
  • Achievement of management’s operational objectives; and
  • Effective business processes to achieve internal control efficiently and at a reasonable cost.

Internal Audit Department Structure

  • Chief Internal Auditor - Lori Cox
    • Assistant Internal Audit Director* - Paul Styrvoky
    • Senior Auditor - Amanda Benson
    • ​​​​​​Senior Auditor - Corwyn Mitchell
    • Internal Auditor - Antanette Malone
    • Interal Auditor - Averil Fuller

*Note: Staff report to Assistant Director on a project basis.

Risk Assessment Process Overview

  • Identify Objectives
  • Identify Risks
  • Measure Risks
  • Prioritize Risks
  • Select Engagement & Develop Plan

Identify Objectives

The IAD’s risk assessment and audit plan supports the College’s commitment to the following Board of Trustees defined priorities:

  1. Impact Income Disparity Throughout Our Community
  2. Streamline and Support Navigation to and Through Our College and Beyond
  3. Strengthen the Career Connected Learner Network and Implement the Student‐Centric One College Organization
  4. Foster an Equitable, Diverse and Inclusive Environment for Employees and Students
  5. Re‐design Professional Development to Create a Diverse and Inclusive High Performing Work and Learning Environment
  6. Serve as the Primary Provider in the Talent Supply Chain Throughout the Region

Identify Risks

In conducting the risk assessment IAD met with senior management and surveyed staff to solicit information to understand areas of risk within the College. The risk assessment process will be a continual effort to remain informed of emerging risks, initiatives, and opportunities to work with the College to help manage risks, provide independent assurance, and consult on projects, implementations, and initiatives. In addition, IAD reviewed College information and reports; researched risks common to higher education and other organizations; and reviewed the top topics on corporate internal audit plans, to gain a more holistic view of risks that may be relevant to the College. Items identified include:

  • Top 5 Higher Education and Organizational Risks for 2021/2022
    • Business Continuity Management
    • Cybersecurity & Information Security
    • Economic Conditions
    • Enterprise Risk Management/Regulatory Risk
    • Student Recruitment
  • Top 5 Topics on Internal Audit Plans for 2021/2022
    • Business Continuity & Crisis Management
    • Cybersecurity & Information Security
    • Fraud
    • IT Governance
    • Regulatory Risk
  • College Specific Risks and Concerns

    In addition to employee interviews and survey results, information used to identify potential College specific risks and concerns included:

    • Comprehensive Annual Financial Report: Fiscal Years August 31, 2019 and 2020
    • Strategic Priorities Dallas College Board of Trustees 2020‐2021
    • Board Policy Manual, Business and Support Services (Various)
    • Internal Audit Department Reports Fiscal Years 2018‐2019 and 2019‐2020

College Specific Risks and Concerns

Based on Surveys and Interviews

Safety and Security
34%
Procurement
34%
Employee Recruitment & Retention
28%
Cyber & Information Security
28%
Records Management and Retention
24%
Succession Planning
21%
Performance Evaluation
21%
Data Liability
21%
Business Continuity Planning
21%
Professional Development ‐ Staff
17%
Policies and Procedures
17%
Employee Grievance Procedures
17%

Measuring Risks

The significance of risks is assessed based on impact, probability, and velocity.

  • ​​Impact (I): The effect on the College and stakeholders if a risk event occurs or if the area is not functioning as intended. Impact can include lost revenue, increased expenses, fines, adverse publicity, sanctions, reputational damage, and reduced employee morale.
  • Probability (P): The likelihood that a risk event occurs or that the area is not functioning as intended. Probability factors can include prior audit results, turnover, management and staff concerns, lack of internal monitoring and/or governance, operational and control weaknesses, and poor training.
  • Velocity (V): The pace the organization is expected to experience the impact of risk. The speed of regulatory enforcement action is an example of velocity.
Table Measuring Risks

(1) Velocity is measured as Rapid, Reasonable, or Slow
*Areas of rapid velocity.

Likely Probability and Major Impact:

  • Cyber & Information Security*
  • Procurement
  • Operating Policies & Procedures
  • Professional Development-Staff
  • Safety & Security
  • Succession Planning

Likely Probability and Catastrophic Impact:

  • Business Continuity Planning*

Possible Probability and Moderate Impact:

  • Data Liability
  • Employee Grievance Procedures
  • Records Management and Retention

Possible Probabi​lity and Major Impact

  • Employee Recruitment & Retention
  • Performance Evaluation

Prioritize Risks and Plan Development

  • Prioritization Factors (PF)

    Factors used to prioritize risks and build the engagement plan include:

    • Overlapping Higher Education/Organizational Risks and Internal Audit Plan Topics
    • College Specific Risk & Concerns rated as: (a) Major or Catastrophic Impact, (b) Likely or Almost Certain Probability, or (c) Rapid Velocity.
    • Required by auditing standards or other regulation.
  • Additional Planning Considerations (APC)
    • Internal Audit Resources
    • Engagement recently completed or planned (or carryover).
    • Current or upcoming operational and system changes.
    • Included in another engagement/review.
  • Special Requests (SR)

    Noted in the prioritization summary below.

Prioritization Summary

Area/Function/RiskPFAPCSRIncluded 2021-2022 Plan
or Future Plan (FP)
Business Continuity Planning
  Yes
Cares Act Funding  Yes
CLERY Compliance  Yes
Cyber & Information Security  Yes
Data Liability​​  FP
Employee Recruitment & Retention  FP
Fixed Assets  Yes
Employee Grievance Procedures  FP
Performance Evaluation  FP
Police Dept. Property Room  Yes
Policies and Procedures  No*
Procurement  Yes
Professional Development ‐ Staff  Yes
Records Management & Retention  FP
Richland Collegiate HS ‐ Attendance  Yes
Richland Collegiate HS ‐ Curriculum Compliance  Yes
Safety & Security  Yes
Succession Planning  Yes
Technology Governance Yes

*A review of applicable policies and procedures will be incorporated into each engagement as appropriate.

In addition, top items that did not meet prioritization factors, items of general concern, and/or or “governance related” (i.e., accountability, collaboration) ‐ from interviews and questionnaires – will be discussed with the College leadership as applicable and appropriate and addressed through consulting engagements where possible and time permitting.

Audit Plan - FY 2021-2022

Engagement TypeDescriptionTarget Fiscal Quarter
​Audits/Continuous AuditsCyber & Information SecurityCont.
Fixed AssetsCont.
ProcurementCont.
Richland Collegiate High School Attendance4th
Safety & SecurityCont.
Special Reviews/ Consulting EngagementsCares Act Fundi​ng Review1st​
CLERY ComplianceCont.
Police Department Property Room2nd
Police Department Property Room3rd
Richland High School Curriculum Compliance4th
Succession Planning1st
Follow‐up AuditsDual Credit2nd
Employee Travel3rd
IT General Controls2nd
Other Services, Duties & Special Projects
Business Continuity Planning
External Audit Assistance ‐ 2021 Financial and Single Audit
Fraud Hotline Administration and Monitoring (On‐Going)
Investigations (As Needed)
Technology Governance
Workday Implementation Participation (On‐Going)

Cont. – The review will be broken down into separate focus areas, completed periodically, due to the size and scope of the function/department.

Plan Flexibility

To ensure the IAD can respond timely to emerging risks and issues, the Audit Plan is subject to change due to:

  • New or emerging risks or priorities
  • Management requests
  • Special investigations or reviews
  • Special consulting services/engagements

IAD Horizons

In addition to the activities outlined on the Engagement Plan, IAD development projects planned for the 2021/2022 fiscal year include:

  • Fraud Hotline “Redevelopment”
  • Internal Audit Related Training for College Employees
  • Development of a continuous audit processes for key College functions/departments.
  • Implementation of Audit Management Application to streamline IAD efficiency and effectiveness.